29 April 1999. Thanks to HN.
[Forwarded by HN.] From: Stefan Santesson [mailto:stefan@accurata.se] Sent: den 27 april 1999 15:22 To: ietf-pkix@imc.org Subject: EU Electronic signature directive - Latest version available All, Since the process concerning the EU directive on electronic signatures has finally come to (almost) closure, I have finally got my hands on the latest electronic version of the draft directive, with a permission to publish it on the QC-Website. So you are all welcome to download the directive, and pass it on to others, from: http://www.accurata.se/QC/ Look under "Related information" /Stefan ------------------------------------------------------------------- Stefan Santesson <stefan@accurata.se> Accurata Systemsäkerhet AB http://www.accurata.se Slagthuset Tel. +46-40 108588 211 20 Malmö Fax. +46-40 150790 Sweden Mobile +46-70 5247799 PGP fingerprint: 89BC 6C79 5B3D 591B 8547 1512 7D11 DBF4 528F 29A0 -------------------------------------------------------------------
Source: http://www.accurata.se/QC/documents/el_sig_engdir.rtf
7015/99LIMITE
ECO 107
CODEC 148
from : Coreper
on : 24 March 1999
to : TELECOMMUNICATIONS COUNCIL
No. prev. doc.: 6229/99 ECO 65 CODEC 95
No. Cion prop.: 9708/98 ECO 233 CODEC 355
Subject: Proposal for a Directive of the European Parliament and of the Council on a common framework for electronic signatures
1. At its meeting on 27 November 1998 the Council instructed Coreper to continue discussing the abovementioned proposal and to endeavour in particular to find a solution to the key issue of the security of electronic signatures, a major stumbling block to the conclusion of an agreement on the proposal.
2. At the end of a further stage of discussions Coreper succeeded in finding a solution to the key issue which is acceptable to all delegations. It also completed finalisation of the text of the Directive as a whole, taking into account in particular the Opinion of the European Parliament at first reading, from which it adopted many of the suggested amendments.
3. The draft Directive, which is set out in the Annex hereto, has already been agreed by all delegations, although the Commission is still upholding a reservation on one provision. () The text is being submitted for the agreement of the Council so that subsequently it can formally adopt a common position on the proposal.
____________
ANNEX
Draft
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty establishing the European Community, and in particular Articles 57(2), 66 and 100a thereof,
Having regard to the proposal from the Commission, (*)
In cooperation with the European Parliament, (**)
Having regard to the Opinion of the Economic and Social Committee, (***)
Having regard to the Opinion of the Committee of the Regions, (****)
Acting in accordance with the procedure laid down in Article 189b of the Treaty,
(1) Whereas the Commission presented on 16 April 1997 to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions a Communication on an European Initiative in Electronic Commerce;(2) Whereas on 8 October 1997 the Commission presented to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions a Communication on ensuring security and trust in electronic communication - Towards a European framework for digital signatures and encryption;
(3) Whereas on 1 December 1997, the Council invited the Commission to submit as soon as possible a proposal for a Directive of the European Parliament and of the Council on digital signatures;
(4) Whereas electronic communication and commerce necessitate "electronic signatures" and related services allowing data authentication; whereas divergent rules with respect to legal recognition of electronic signatures and the accreditation of certification service providers in the Member States may create a significant barrier to the use of electronic communications and electronic commerce; whereas clear common framework conditions for electronic signatures, on the other hand, will strengthen confidence in and general acceptance of the new technologies; whereas divergent actions in the Member States must not be allowed to hinder the free movement of goods and services in the internal market;
(5) Whereas the interoperability of electronic signature products should be promoted; whereas, in accordance with Article 7a of the Treaty, the Internal Market is to comprise an area in which the free movement of goods is to be ensured; whereas essential requirements specific to electronic signature products must be met in order to ensure free circulation within the Internal Market and to build trust in electronic signatures, without prejudice to Regulation (EC) No 3381/94 setting up a Community regime for the control of exports of dual-use goods and Decision 94/942/CFSP on the joint action adopted by the Council on the basis of Article J.3 of the Treaty on European Union concerning the control of exports of dual-use goods;
(5a) Whereas this Directive does not seek to harmonise the provision of services for the confidentiality of information when they are covered by national provisions concerned with public policy or public security;(6) Whereas the rapid technological development and the global character of the Internet necessitate an approach which is open to various technologies and services capable of authenticating data electronically;
(6a) Whereas the Commission will bring forward a review of this Directive two years after its implementation in part to ensure that the advance of technology or changes to the legal environment have not created barriers to achieving the aims stated in this Directive; whereas it should examine the implications of associated technical areas and submit a report to Parliament and Council on this subject;(7) Whereas electronic signatures will be used in a large variety of circumstances and applications, resulting in a wide range of new services and products related to or using electronic signatures;
whereas the definition of such products and services should not be limited to the issuance and management of certificates, but also encompass any other service and product using or ancillary to electronic signatures, such as registration services, time-stamping services, directory services, computing services or consultancy related to electronic signatures;
Whereas the internal market enables certification service providers to develop their cross-border activities with a view to increasing their competitiveness, and thus offer consumers and business new opportunities to exchange information and to trade electronically in a secure way, regardless of frontiers; whereas in order to stimulate the Community-wide provision of certification services over open networks, certification service providers should in general be free to offer their services without prior authorization;
Whereas prior authorization does not only mean any permission which requires the certification service provider concerned to obtain a decision by national authorities before being allowed to provide its certification services, but also any other measures having the same effect;
(8) Whereas voluntary accreditation schemes aiming at enhanced level of service provision may offer certification service providers the appropriate framework to develop further their services towards the levels of trust, security and quality demanded by the evolving market;
Whereas voluntary accreditation means any permission, setting out rights and obligations specific to the provision of certification services, to be granted upon request by the certification service provider concerned, by the public or private authority charged with the elaboration of, and supervision of compliance with, such rights and obligations, where the certification service provider is not entitled to exercise the rights stemming from the permission until it has received the decision by the authority.
Whereas such schemes should encourage the development of best practice among certification service providers; whereas certification service providers should be left free to adhere to and benefit from such accreditation schemes;
Whereas certification services can be offered either by a public entity or a legal or natural person, when it is established in accordance with the national law;
Whereas Member States should not prohibit certification service providers from operating outside such accreditation schemes; whereas it should be ensured that accreditation schemes do not reduce competition for certification services;
Whereas Member States may decide how they ensure the supervision of compliance with the provisions laid down in this Directive; whereas this Directive does not exclude the establishment of private sector based supervision systems;
Whereas this Directive does not oblige certification service providers to apply to be supervised under any applicable accreditation;
whereas it is important to strike a balance between consumer and business needs;
(8a) Whereas Annex III covers requirements for secure signature creation devices to ensure the functionality of advanced electronic signatures; whereas it does not cover the entire system environment in which such devices operate; whereas the functioning of the Internal Market requires the Commission and the Member States to act swiftly to enable the designation of the bodies charged with the conformity assessment of secure signature devices with Annex III; whereas in order to meet market needs conformity assessment must be timely and efficient;(9) Whereas this Directive therefore contributes to the use and legal recognition of electronic signatures within the Community; whereas a regulatory framework is not needed for electronic signatures exclusively used within closed systems; nevertheless electronic signatures which fulfil the requirements laid down in this Directive and which are used within closed user groups should be legally recognised; whereas the freedom of parties to agree among themselves the terms and conditions under which they accept electronically signed data should be respected to the extent allowed by national law; whereas this Directive is not intended at harmonizing national rules concerning contract law, particularly the formation and performance of contracts, or other non-contractual formalities requiring signatures; whereas for this reason the provisions concerning the legal effect of electronic signatures should be without prejudice to form requirements prescribed by national law with regard to the conclusion of contracts or the rules determining where a contract is concluded;
Whereas the storage and copying of signature creation data could cause a threat to the legal validity of electronic signatures;
Whereas electronic signatures will be used in the public sector within national and Community administrations and in communication between such administrations and with citizens and economic operators, for example in public procurement, taxation, social security, health and justice system;
(10) Whereas harmonized criteria connected to the legal effect of electronic signatures will preserve a coherent legal framework across the Community; whereas national law lays down different requirements for the legal validity of hand-written signatures; whereas advanced electronic signatures which are related to a qualified certificate and which are created by a secure signature creation device can be regarded as legally equivalent to hand-written signatures only if these requirements for hand-written signatures are fulfilled; whereas in order to contribute to the general acceptance of electronic authentication methods it has to be ensured that electronic signatures can be used as evidence in legal proceedings in all Member States; whereas the legal recognition of electronic signatures should be based upon objective criteria and not be linked to authorization of the service provider involved; Whereas national law governs the use of electronic documents and electronic signatures; whereas this Directive is without prejudice to the ability of a court to conclude on the conformity with the requirements of the Directive and does not affect national rules regarding the free judicial consideration of evidence;
(10a) Whereas the internal market comprises also the free movement of persons, as a result of which citizens of, and residents, in the European Union increasingly need to deal with authorities in Member States other than the one in which they reside; whereas the availability of electronic communication could be of great service in this respect;(11) Whereas certification service providers offering certification services to the public are subject to national liability rules;
(12) Whereas the development of international electronic commerce requires cross-border mechanisms which involve third countries; whereas those mechanisms should be developed at a business level; whereas in order to ensure interoperability at a global level agreements on multilateral rules with third countries on mutual recognition of certification services could be beneficial;
(13) Whereas in order to stimulate electronic communication and electronic commerce by ensuring user confidence, service providers must respect data protection legislation and individual privacy;
Whereas the provision on the use of pseudonyms in certificates does not prevent Member States from requiring identification of persons pursuant to Community or national law;
(14) Whereas for the purposes of the application of this Directive, the Commission should be assisted by a management committee;
(15) Whereas in accordance with the principles of subsidiarity and proportionality as set out in Article 3b of the Treaty, the objective of creating a harmonised legal framework for the provision of electronic signatures and related services cannot be sufficiently achieved by the Member States and can therefore be better achieved by the Community; whereas this Directive confines itself to the minimum required in order to achieve that objective and does not go beyond what is necessary for that purpose,
HAVE ADOPTED THIS DIRECTIVE:
Scope
This Directive aims at facilitating the use of electronic signatures as well as contributing to their legal recognition. It establishes a legal framework for electronic signatures and certain certification services in order to ensure the proper functioning of the Internal Market.
It does not cover aspects related to the conclusion and validity of contracts or other legal obligations where there are form requirements prescribed by national or Community law nor does it affect rules and limits governing the use of documents contained in national or community law.
For the purpose of this Directive:
1. "electronic signature" means data in electronic form attached to, or logically associated with, other electronic data and which serves as a method of authentication.
1a "advanced electronic signature" means an electronic signature which meets the following requirements:(a) it is uniquely linked to the signatory;(b) it is capable of identifying the signatory ;
(c) it is created using means that the signatory can maintain under his sole control; and
(d) it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable.
2. "signatory" means a person who holds a signature creation device and acts either on their own behalf or on the behalf of the person or the entity they represent.
3. "signature creation data" means unique data such as codes or private cryptographic keys, which is used by the signatory in creating an electronic signature.
3a "signature creation device" means a configured software or hardware device to implement the signature creation data.3b "secure signature creation device" is a signature creation device that meets the requirements of Annex III.
4. "signature verification data" means data, such as codes or public cryptographic keys, which is used in verifying the electronic signature.
4a "signature verification device" means a configured software or hardware device to implement the signature verification data.4b "certificate" means an electronic attestation which links a signature verification data to a person, and confirms the identity of that person.
5. "qualified certificate" means a certificate which meets the requirements laid down in Annex I and is provided by a certification service provider that fulfils the requirements laid down in Annex II.
6. "certification service provider" means a person who or entity which issues certificates or provides other services related to electronic signatures.
7. "electronic signature product" means hardware or software, or relevant components thereof, which are intended to be used by a certification service provider for the provision of electronic signature services or used for the creation or verification of electronic signatures.
Article 3
Market access
1. Member States shall not make the provision of certification services subject to prior authorization.
2. Without prejudice to the provisions of paragraph 1, Member States may introduce or maintain voluntary accreditation schemes aiming at enhanced levels of certification service provision. All conditions related to such schemes must be objective, transparent, proportionate and non-discriminatory. Member States may not limit the number of accredited certification service providers for reasons which fall under the scope of this Directive.
2a Member States shall ensure the establishment of an appropriate system which allows the supervision of Certification Service Providers established on its territory which issue qualified certificates to the public.2b Conformity of secure signature creation devices with Annex III is determined by appropriate public or private bodies designated by Member States. The Commission shall, pursuant to the procedure laid down in Article 9, establish criteria for Member States in determining whether a body is appropriate to be designated.
Determination of conformity with the requirements of Annex III made by these bodies shall be recognised by all Member States.
3. The Commission may, according to the procedure laid down in Article 9, establish and publish reference numbers of generally recognised standards for electronic signature products in the Official Journal of the European Communities. Member States shall presume compliance with the requirements laid down in point (e) of Annex II and Annex III when an electronic signature product meets those standards.
3a Member States and Commission shall work together to promote the development and use of signature verification devices, in the light of the recommendations in Annex IV and in the interest of the consumer.
4. Member States may make the use of electronic signatures in public sector subject to possible additional requirements. Such requirements shall be objective, transparent, proportionate, and non-discriminatory, and shall only relate to the specific characteristics of the application (*) concerned. Such requirements may not constitute an obstacle to cross-border services for citizens.
Article 4
Internal Market principles
1. Each Member State shall apply the national provisions it adopts pursuant to this Directive, to certification service providers established on its territory, and to the services they provide. Member States may not restrict the provision of certification services that originate in another Member State in the fields covered by this Directive.
2. Member States shall ensure that electronic signature products which comply with this Directive are permitted to circulate freely in the Internal Market.
Article 5
Legal effects
"1. Member States shall ensure that advanced electronic signatures which are based on a qualified certificate and which are created by a secure signature creation device
(a) satisfy the legal requirement of a signature in relation to data in electronic form in the same manner as a handwritten signature satisfies that requirement in relation to paper-based data, and(b) are admissible as evidence in legal proceedings.
2. Member States shall ensure that an electronic signature is not denied legal effectiveness and admissibility as evidence in legal proceedings solely on the grounds that the signature is in electronic form, or is not based upon a qualified certificate, or is not based upon a qualified certificate issued by accredited certification service provider, or is not created by a secure signature creation device."
Article 6
Liability
1. As a minimum Member States shall ensure that by issuing a certificate as a qualified certificate to the public or by guaranteeing a certificate to the public a certification service provider is liable for damage caused to any person who reasonably relies on the certificate for:
(a) accuracy of all information in the qualified certificate as of the time of issuance,(b) [...]
(c) assurance that at the time of the issuance of the certificate, the person identified in the qualified certificate held the signature creation data corresponding to the signature verification data given or identified in the certificate;
(d) assurance that the signature creation data and the signature verification data can be used in a complementary manner, in cases where the certification service provider generates them both;
unless the certification service provider proves that he has not acted negligently.
1a As a minimum Member States shall ensure that a certification service provider who has issued a certificate as a qualified certificate to the public is liable for damage caused to any person who reasonably relies on the certificate for failure to register revocation of the certificate unless the certification service provider proves that he has not acted negligently.
[2 not used]
3. Member States shall ensure that a certification service provider may indicate in the qualified certificate limits on the uses of a certain certificate the limit must be recognizable to third parties. The certification service provider shall not be liable for damages arising from a contrary use of a qualified certificate which includes limits on its uses.
4. Member States shall ensure that a certification service provider may indicate in the qualified certificate a limit on the value of transactions for which the certificate can be used.
5. The provisions of paragraphs 1 to 4 shall be without prejudice to Council Directive 93/13/EC.
Article 7
International aspects
1. Member States shall ensure that certificates which are issued as qualified certificates to the public by a certification service provider established in a third country are recognised as legally equivalent to certificates issued by a certification service provider established within the European Community:
(a) if the certification service provider fulfils the requirements laid down in this Directive and has been accredited in the context of a voluntary accreditation scheme established in a Member State of the European Community; or(b) if a certification service provider established within the Community, which fulfils the requirements laid down in this Directive, guarantees the certificate; or
(c) if the certificate or the certification service provider is recognized under the regime of a bilateral or multilateral agreement between the Community and third countries or international organizations.
2. In order to facilitate cross-border certification services with third countries and legal recognition of advanced electronic signatures originating in third countries, the Commission will make proposals where appropriate to achieve the effective implementation of standards and international agreements applicable to certification services. In particular and where necessary, it will submit proposals to the Council for appropriate mandates for the negotiation of bilateral and multilateral agreements with third countries and international organizations. The Council shall decide by qualified majority.
3. Whenever the Commission is informed of any difficulties encountered by Community undertakings with respect to placing on the market in third countries, it may, if necessary, submit proposals to the Council for an appropriate mandate for the negotiation of comparable rights for Community undertakings in these third countries. The Council shall decide by qualified majority.
Measures taken pursuant to this paragraph shall be without prejudice to the obligations of the Community and of the Member States under relevant international agreements.
Article 8
Data Protection
1. Member States shall ensure that certification service providers and national bodies responsible for accreditation or supervision comply with the requirements laid down in Directive 95/46/EC of the European Parliament and of the Council.
2. Member States shall ensure that a certification service provider which issues certificates to the public may collect personal data only directly from the data subject, or after the explicit consent of the data subject, and only insofar as it is necessary for the purposes of issuing and maintaining the certificate. The data may not be collected or processed for any other purposes without the explicit consent of the data subject.
3. Without prejudice to the legal effect given to pseudonym under national law, Member States shall not prevent certification service providers from indicating in the certificate a pseudonym instead of the signatory’s name.
4. [...]
Article 9
Committee
The Commission shall be assisted by a Committee, called the "Electronic Signature Committee" (hereinafter referred to as "the Committee"), composed of representatives of the Member States and chaired by a representative of the Commission.
The representative of the Commission shall submit to the Committee a draft of the measures to be taken. The Committee shall deliver its opinion on the draft within a time-limit which the Chairman may lay down according to the urgency of the matter. The opinion shall be delivered by the majority laid down in Article 148(2) of the Treaty in the case of decisions which the Council is required to adopt on a proposal from the Commission. The votes of the representatives of the Member States within the Committee shall be weighted in the manner set out in that Article. The chairman shall not vote.
The Commission shall adopt measures which shall apply immediately. However, if these measures are not in accordance with the opinion of the Committee, they shall be communicated by the Commission to the Council forthwith. In that event:
The Commission shall defer application of the measures for three months from the date of communication.The Council, acting by a qualified majority, may take a different decision within the time limit referred to in the previous paragraph.
Article 10
Tasks of the Committee
Clarification of the requirements laid down in Annexes, the criteria referred to Article 3(2b) and the generally recognized standards for electronic signature products pursuant to Article 3(3), shall be determined in accordance with the procedure laid down in Article 9.
Article 11
Notification
1. The following information shall be supplied by the concerned Member States to the Commission and the other Member States:
(a) information on voluntary national accreditation regimes, including any additional requirements pursuant to Article 3(4);(b) the names and addresses of the national bodies responsible for accreditation and supervision; as well as the bodies referred to in Article 3(2b);
(c) the names and addresses of all accredited national certification service providers.
2. Any information supplied under paragraph 1 and changes in respect of that information shall be notified by the Member States as soon as possible.
Article 12
Review
1. The Commission shall review the operation of this Directive and report thereon to the European Parliament and to the Council by [...] (*) at the latest.
2. The review shall, inter alia, assess whether the scope of the Directive should be modified taking account of technological, market and legal developments. The report shall in particular include an assessment, on the basis of the experience gained, of aspects of harmonisation. The report shall be accompanied, where appropriate, by complementary legislative proposals.
Article 13
Implementation
1. Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with this Directive by [...] (**). They shall immediately inform the Commission thereof.
When Member States adopt these provisions, they shall contain a reference to this Directive or shall be accompanied by such a reference at the time of their official publication. The procedure for such reference shall be adopted by Member States.
2. Member States shall communicate to the Commission all other provisions of national law which they adopt in the field governed by this Directive.
Article 14
Entry into force
This Directive shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Communities.
Article 15
Addressees
This Directive is addressed to the Member States.
Done at Brussels,For the European Parliament For the Council
The President The President
_____________________
ANNEX I
Requirements for qualified certificates
Qualified certificates must contain:
(x) an indication that the certificate is issued as a qualified certificate;(a) the identification and the country of establishment of the certification service provider issuing it;
(b) the name of the holder or a pseudonym which shall be identified as such;
(c) provision for a specific attribute of the holder to be included if relevant, depending on the purpose for which the certificate is intended;
(d) a signature verification data which corresponds to a signature creation data under the control of the holder;
(e) beginning and end of the period of validity of the certificate;
(f) the identity code of the certificate;
(g) the advanced electronic signature of the certification service provider issuing it;
(h) limitations on the scope of use of the certificate, if applicable; and
(i) limitations on the value of transactions for which the certificate can be used if applicable.
_______________________
ANNEX II
Certification service providers must:
(a) demonstrate the reliability necessary for offering certification services;(b) ensure the operation of a prompt and secure directory and secure and immediate revocation service;
(ba) ensure that the date and time, when a certificate is issued or revocated, can be determined;(c) verify by appropriate means in accordance with national law the identity and if applicable any specific attributes of the person to which a qualified certificate is issued;
(d) employ personnel which possesses the expert knowledge, experience, and qualifications necessary for the offered services, in particular competence at the managerial level, expertise in electronic signature technology and familiarity with proper security procedures; they must also exercise administrative and management procedures and processes that are adequate and which correspond to recognised standards;
(e) use trustworthy systems and products which are protected against modification and which must ensure the technical and cryptographic security of the processes supported by them;
(f) take measures against forgery of certificates, and, in cases where the certification service provider generates signature creation data, guarantee the confidentiality during the process of generating that data;
(g) maintain sufficient financial resources to operate in conformity with the requirements laid down in this Directive, in particular to bear the risk of liability for damages, for example, by obtaining an appropriate insurance;
(h) record all relevant information concerning a qualified certificate for an appropriate period of time, in particular to provide evidence of certification for the purposes of legal proceedings. Such recording may be done electronically;
(i) not store or copy signature creation data of the person to whom the certification service provider offered key management services;
(j) before entering into a contractual relationship with a person seeking a certificate from it to support his electronic signature, inform that person by a durable means of communication of the precise terms and conditions for the use of the certificate, including any limitations on the use of the certificate, the existence of a voluntary accreditation and the procedures for complaints and dispute settlement. Such information must be in writing which may be transmitted electronically and in readily understandable language. Relevant parts of this information must also be made available on request to third parties relying on the certificate;
(k) use trustworthy systems to store certificates in a verifiable form so that
- only authorised persons can make entries and changes,- information can be checked for authenticity,
- certificates are publicly available for retrieval only in those cases for which the certificate holder's consent has been obtained; and
- any technical changes compromising these security requirements will be apparent to the operator.
_______________________
ANNEX III
Requirements for secure electronic signature creation devices
1. Secure signature creation devices must at least ensure, by appropriate technical and procedural means, that
(a) the signature creation data used for signature generation can practically occur only once, and that its secrecy is reasonably assured;(b) the signature creation data used for signature generation cannot be derived with reasonable assurance and that the signature is protected against forgery using currently available technology;
(c) the signature creation data used for signature generation can be reliably protected by the legitimate holder against the use of others.
2. Secure signature creation devices must not alter the data to be signed or prevent such data from being presented to the signatory prior to the signature process.
________________
ANNEX IV
Recommendations for signature verification
During signature verification process it should be ensured with reasonable certainty, that
(a) the data used for verifying the signature correspond to the data displayed to the verifier;(b) the signature is reliably verified and the result of that verification is correctly displayed;
(c) the verifier can, as necessary, reliably establish the contents of the signed data;
(d) the authenticity and validity of the certificate required at the time of signature verification are reliably verified, and that the result of verification and the signatory's identity are correctly displayed and the use of a pseudonym clearly indicated; and
(e) any security relevant changes can be detected.
Converted to HTML by JYA/Urban Deadline.